Access to the Internet and other wide area networks (WANs) has become pivotal to many businesses and other organizations, including for email, research, information exchange, and content delivery. This access offers an organization tremendous improvement in productivity and flexibility. Unfortunately, criminals located at remote locations attempt to use the organization's Internet/WAN access as a doorway for attacking the organization.
Most networks that provide an interface to the Internet can be a target of an attack. Some attacks involve attempts to gain access to digital assets and private data, for example to steal, alter, or destroy information. Other attacks are designed to degrade or hamper performance of a device connected to a network or to impair a section of a network or an entire network. As will be appreciated by those skilled in the art, attacks come in many different forms, and attack technologies are ever evolving and becoming more sophisticated.
Conventional attack detection systems are typically limited in terms of analysis type and sophistication, are usually confined to utilizing information from one network or site, and are often one dimensional. For example, one conventional approach entails subjecting communications to a single countermeasure assessment aimed at determining whether a communication may contain an attack or malicious event. While this approach may identify many attacks, other attacks may evade detection. Moreover, a communication may be flagged as containing an attack when no actual attack exists. Conventional technologies often tradeoff between false positives and false negatives. Reducing the number of attacks that go undetected comes at the expense of labeling more legitimate communications as containing an attack. Likewise, deceasing the rate of reporting benign communications as threatening comes at the expense of failing to identify actual attacks.
Accordingly, need is apparent for improved attack detection technology. Need exists for an attack detection system that can perform a multidimensional assessment on communications. Need also exists for an attack detection system that can combine the results of multiple countermeasure assessments, to deliver an assessment providing improved false negative performance and improved false positive performance. Need further exists for an attack detection system that can utilize historical attack information to select countermeasure assessments or a weighted combination of countermeasure assessments that will provide suitable performance under a current set of operating conditions or for particular communications. Need further exists for information security technology that can detect attacks by leveraging attack information aggregated across diverse networks and/or network sites, and/or clients. A capability addressing one or more such needs, or some other related deficit in the art, would promote network security and would improve the benefits an organization can achieve through remote network access.